TDSS Botnet Hired Out for Anonymous Web Operations

An extremely big and advanced TDSS botnet reportedly has been overtly hiring out its contaminated computers for the benefit of anyone who wished using it. The botnet has even designed one Firefox add-on for helping clients, reports KrebsOnSecurity dated September 6, 2011.

Further, according to security company Kaspersky, the TDSS botnet is welcoming payments through Visa, MasterCard, PayPal and e-currency such as Liberty Reserve and WebMoney.

Researchers Igor Soumenkov and Sergey Golovanov from Kaspersky, who published a thorough study of TDSS during June 2011, explains that the malware installs numerous components among which the "socks.dll" file is noteworthy as it lets others operate the contaminated computers for doing Web surfing in secret.

The TDSS malicious program, which is called TDL-4 as well, uses a rootkit for contaminating computers running Windows. Additionally, it cleanses about 20 malware items off target computers for terminating interaction with other groups of harmful bots.

Moreover, Golovanov states that when PCs are contaminated, the socks.dll file contacts awmproxy.net, informing it about the availability of one fresh proxy on hire. Immediately then, the contaminated computers begin allowing proxy requests.

At present over 24,000 proxies are advertised through awmproxy.net for hire. Also, the proxies, obtainable on a daily basis or even during one 24-hour time frame, vary largely in number. This is attributed to the TDSS-contaminated computers not turned on all the time such as during weekends or holidays.

The huge TDSS botnet has awmproxy.net as its storefront that canvasses the world's speediest unnamed proxies. As per Golovanov, when TDSS installs the socks.dll file on the computer it infects, the socks.dll informs awmproxy.net about one fresh proxy that could be hired. Soon after, the contaminated computer begins taking about ten proxy requests every 60 seconds, he tells.

Moreover Golovanov says that it is sufficient for observing that awmproxy.net pertaining to TDL4 is loaded straight away onto encrypted area as also its execution is via rootkit functionality. Thus it proves that this extra proxy module is directly linked with the TDL4 developer although their joint working isn't yet known, the researcher adds. KrebsOnSecurity published this on September 6, 2011.